search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.14k stars 744 forks source link

NVRAM issue with Netgear Firmware emulation & unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED) #464

Closed YannQ404 closed 4 years ago

YannQ404 commented 4 years ago

Hello,

I do not succeed yet to launch the web interface on a emulated of the Netgear firmware. However I succeed to launch a TCP service on port 8080 and bind it to to localhost.

However, when I connect my browser to http://127.0.0.1:8080, qiling send me back few error

At 1st try, there are plenty of NVRAM file not found. thus , I create "fake" files in the directories of my rootfs firmware

Question : is that a good solution?

But when relaunching my python script after those modification, I receive this error : unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

abstract error dump Traceback (most recent call last): File "netgearyann.py", line 13, in my_sandbox(["rootfs/netgear_r6220/bin/mini_httpd","-d","/www.eng","-r","NETGEAR R6220","-c","**.cgi","-t","300"], "rootfs/netgear_r6220") File "netgearyann.py", line 10, in my_sandbox ql.run() File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 198, in run self.os.run() File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/linux.py", line 112, in run thread_management.run() File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/thread.py", line 455, in run self.runing_time += self.cur_thread.run(bbl_slice = thread_slice, mode = BBL_MODE) File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/thread.py", line 132, in run self.ql.emu_start(self.start_address, self.exit_point) File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 257, in emu_start self.uc.emu_start(begin, end, timeout, count) File "/usr/local/lib/python3.6/dist-packages/unicorn/unicorn.py", line 317, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED) accept(4, 7ff3cb60, 7ff3cb30) = 5 open(/var/lock/httpd.lock, 0x42, 0o644) = -13 [+] open(/var/lock/httpd.lock, O_RDONLY | O_RDWR | 64, 0o644) = -13 [!] File Not Found /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/httpd.lock open(/var/httpd.cache, 0x0, 0o666) = -2 [+] open(/var/httpd.cache, O_RDONLY, 0o666) = -2 [!] File Not Found /home/yann/qiling/examples/rootfs/netgear_r6220/var/httpd.cache access(/tmp/dbg_sessionid, 0x0) = -1 [!] No such file or directory access(/tmp/dbg_sessionid, 0x0) = -1 [!] No such file or directory clone(new_stack = 0, flags = 1200012, tls = 0, ptidptr = 0, ctidptr = 77835068) = 5061 [+] Currently running pid is: 5044; tid is: 5044 clone(new_stack = 0, flags = 1200012, tls = 0, ptidptr = 0, ctidptr = 77835068) = 0 [+] Currently running pid is: 5061; tid is: 5061 access(/tmp/dnshj.out, 0x0) = -1 [!] No such file or directory close(5) = 0 access(/tmp/upgrading, 0x0) = -1 [!] No such file or directory close(4) = 0 rt_sigaction(0xe, 0x7ff36bb4, = 0x7ff36b98) = 0 alarm(60) = 0 read(5, 0x7ff3a3a8, 0x2710) = 354 alarm(60) = 0 open(/var/lock/tmp_nvram.lock, 0x241, 0o600) = 4 [+] open(/var/lock/tmp_nvram.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/tmp_nvram.lock fcntl64(4, 7, 2146655000) = 0 open(/tmp/nvram, 0x0, 0o17774655430) = 6 [+] open(/tmp/nvram, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/tmp/nvram lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/etc_default.lock, 0x241, 0o600) = 4 [+] open(/var/lock/etc_default.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/etc_default.lock fcntl64(4, 7, 2146655000) = 0 open(/etc/default, 0x0, 0o17774655430) = 6 [+] open(/etc/default, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/etc/default lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/tmp_nvram.lock, 0x241, 0o600) = 4 [+] open(/var/lock/tmp_nvram.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/tmp_nvram.lock fcntl64(4, 7, 2146655000) = 0 open(/tmp/nvram, 0x0, 0o17774655430) = 6 [+] open(/tmp/nvram, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/tmp/nvram lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/etc_default.lock, 0x241, 0o600) = 4 [+] open(/var/lock/etc_default.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/etc_default.lock fcntl64(4, 7, 2146655000) = 0 open(/etc/default, 0x0, 0o17774655430) = 6 [+] open(/etc/default, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/etc/default lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/tmp_nvram.lock, 0x241, 0o600) = 4 [+] open(/var/lock/tmp_nvram.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/tmp_nvram.lock fcntl64(4, 7, 2146655000) = 0 open(/tmp/nvram, 0x0, 0o17774655430) = 6 [+] open(/tmp/nvram, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/tmp/nvram lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/etc_default.lock, 0x241, 0o600) = 4 [+] open(/var/lock/etc_default.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/etc_default.lock fcntl64(4, 7, 2146655000) = 0 open(/etc/default, 0x0, 0o17774655430) = 6 [+] open(/etc/default, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/etc/default lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 [!] Emulation Error

[-] zero : 0x0 [-] at : 0x7778f990 [-] v0 : 0x0 [-] v1 : 0x31 [-] a0 : 0x43002e [-] a1 : 0x0 [-] a2 : 0x7ff36b18 [-] a3 : 0x0 [-] t0 : 0x4 [-] t1 : 0x0 [-] t2 : 0x200 [-] t3 : 0x100 [-] t4 : 0x807 [-] t5 : 0x800 [-] t6 : 0x400 [-] t7 : 0x8 [-] s0 : 0x420000 [-] s1 : 0x410000 [-] s2 : 0x420000 [-] s3 : 0x420000 [-] s4 : 0x420000 [-] s5 : 0x420000 [-] s6 : 0x420000 [-] s7 : 0x420000 [-] t8 : 0x0 [-] t9 : 0x777995c0 [-] k0 : 0x0 [-] k1 : 0x0 [-] gp : 0x42b080 [-] sp : 0x7ff36bd8 [-] s8 : 0x430018 [-] ra : 0x40a0e4 [-] status : 0x0 [-] lo : 0x0 [-] hi : 0x0 [-] badvaddr : 0x0 [-] cause : 0x0 [-] pc : 0x777995c0 [-] cp0_config3 : 0x2000 [-] cp0_userlocal : 0x7783c470

[+] PC = 0x777995c0 [+] Start End Perm. Path [+] 00400000 - 00413000 - r-x /home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 00422000 - 00424000 - rw- /home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 00424000 - 0042e000 - rwx /home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 0042e000 - 00430000 - rwx [hook_mem] (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 00430000 - 00431000 - rwx [brk] [+] 047ba000 - 047d3000 - rwx /home/yann/qiling/examples/rootfs/netgear_r6220/lib/ld-uClibc.so.0 [+] 774bf000 - 774c0000 - rwx [syscall_mmap] [+] 774c1000 - 774c4000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libscnvram.so [+] 774c4000 - 774d3000 - rwx [syscall_mmap] [+] 774d3000 - 774d4000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libscnvram.so [+] 774d5000 - 77533000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libssl.so.0.9.8 [+] 77533000 - 77542000 - rwx [syscall_mmap] [+] 77542000 - 77548000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libssl.so.0.9.8 [+] 77549000 - 776fd000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libcrypto.so.0.9.8 [+] 776fd000 - 7770c000 - rwx [syscall_mmap] [+] 7770c000 - 77723000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libcrypto.so.0.9.8 [+] 77723000 - 77725000 - rwx [syscall_mmap] [+] 77726000 - 77752000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libgcc_s.so.1 [+] 77752000 - 77761000 - rwx [syscall_mmap] [+] 77761000 - 77762000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libgcc_s.so.1 [+] 77763000 - 77809000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libuClibc-0.9.33.2.so [+] 77809000 - 77818000 - rwx [syscall_mmap] [+] 77818000 - 7781a000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libuClibc-0.9.33.2.so [+] 7781a000 - 77820000 - rwx [syscall_mmap] [+] 77821000 - 77824000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libdl-0.9.33.2.so [+] 77824000 - 77833000 - rwx [syscall_mmap] [+] 77833000 - 77835000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libdl-0.9.33.2.so [+] 77835000 - 77836000 - rwx [syscall_mmap] [+] 7ff0d000 - 7ff3d000 - rwx [stack] [+] ['0x0', '0x0', '0x83', '0x90', '0x0', '0x0', '0xa2', '0x90']

[+] 0x777995c0 00 00 83 90 00 00 a2 90 01 00 84 24 03 00 60 14 01 00 a5 24 08 00 e0 03 23 10 02 00 f9 ff 62 50 00 00 83 90 23 10 62 00 08 00 e0 03 00 00 00 00 21 10 80 00 03 00 00 10 21 18 80 00 01 00 a5 24 lbu $v1, ($a0) lbu $v0, ($a1) addiu $a0, $a0, 1 bnez $v1, 0x777995dc addiu $a1, $a1, 1 jr $ra negu $v0, $v0 beql $v1, $v0, 0x777995c4 lbu $v1, ($a0) subu $v0, $v1, $v0 jr $ra nop move $v0, $a0 b 0x77799604 move $v1, $a0 addiu $a1, $a1, 1 Traceback (most recent call last): File "netgearyann.py", line 13, in my_sandbox(["rootfs/netgear_r6220/bin/mini_httpd","-d","/www.eng","-r","NETGEAR R6220","-c","**.cgi","-t","300"], "rootfs/netgear_r6220") File "netgearyann.py", line 10, in my_sandbox ql.run() File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 198, in run self.os.run() File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/linux.py", line 112, in run thread_management.run() File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/thread.py", line 455, in run self.runing_time += self.cur_thread.run(bbl_slice = thread_slice, mode = BBL_MODE) File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/thread.py", line 132, in run self.ql.emu_start(self.start_address, self.exit_point) File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 257, in emu_start self.uc.emu_start(begin, end, timeout, count) File "/usr/local/lib/python3.6/dist-packages/unicorn/unicorn.py", line 317, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Do I need to find another way to emulate the NVRAM? If yes, any advices will be appreciated ?

Here is my python Script import sys from qiling import *

def my_sandbox(path, rootfs): ql = Qiling(path, rootfs, output="debug", profile = 'netgear_6220lastversion.ql', log_dir='qlog') ql.bindtolocalhost = True
ql.multithread = True

ql.add_fs_mapper('/proc', '/proc')
ql.run()

if name == "main": my_sandbox(["rootfs/netgear_r6220/bin/mini_httpd","-d","/www.eng","-r","NETGEAR R6220","-c","**.cgi","-t","300"], "rootfs/netgear_r6220")

Thanks for your help

xwings commented 4 years ago

I do not remember what i did. But best way is u need to study the disasm abit and find out.

One thing with this netgear is each version is abit different and i am losing track.

As far as i can recall, there are some version you need play the log file, some with memory map range.

Enjoy hacking, this firmware is fun to play with. As fun as those R6400 series.

If you need a advice, what i can tell you is. There are some cool netgear or dlink firmware u can try. Try few more until you can one running then you one running. That's how you learn.

YannQ404 commented 4 years ago

I tried another solution to emulate the NVRAM (according to the script found in HITB2020)

Here is the script I use now import sys from qiling import *

class Fake_nvram: def init(self, init_buf): self.buf = init_buf self.cur_offset = 0

def read(self, size):
    return bytes(self.buf[self.cur_offset: self.cur_offset + size])

def write(self, s):
    _diff = len(s) - len(self.buf)
    self.buf = s
    return _diff

def fstat(self):
    return -1

def close(self):
    return 0

def lseek(self, offset, origin=0, **kwargs):
    if origin == 0: # seek to beginning of file
        self.cur_offset = offset

    elif origin == 1: # seek to cur_offset + offset
        self.cur_offset += offset

    elif origin == 2: # seek to the end of file
        _len = len(self.buf)
        self.cur_offset = 0 if _len == 0 else _len - 1

    return self.cur_offset

fake_nvram = Fake_nvram(b"os=qiling\x00")

def my_sandbox(path, rootfs): ql = Qiling(path, rootfs, output="debug", profile = 'netgear_6220lastversion.ql', log_dir='qlog') ql.add_fs_mapper("/tmp/nvram", fake_nvram) ql.bindtolocalhost = True
ql.multithread = True ql.add_fs_mapper('/proc', '/proc') ql.run()

if name == "main": my_sandbox(["rootfs/netgear_r6220/bin/mini_httpd","-d","/www.eng","-r","NETGEAR R6220","-c","**.cgi","-t","300"], "rootfs/netgear_r6220")

But same error again :

open(/var/lock/etc_default.lock, 0x241, 0o600) = 4 [+] open(/var/lock/etc_default.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/etc_default.lock fcntl64(4, 7, 2146655000) = 0 open(/etc/default, 0x0, 0o17774655430) = 6 [+] open(/etc/default, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/etc/default lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/tmp_nvram.lock, 0x241, 0o600) = 4 [+] open(/var/lock/tmp_nvram.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/tmp_nvram.lock fcntl64(4, 7, 2146655000) = 0 open(/tmp/nvram, 0x0, 0o17774655430) = 6 [+] open(/tmp/nvram, O_RDONLY, 0o17774655430) = 6 [+] File Found: <main.Fake_nvram object at 0x7fc580e68b00> lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 9 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 read(6, 0x430378, 0x9) = 9 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 open(/var/lock/etc_default.lock, 0x241, 0o600) = 4 [+] open(/var/lock/etc_default.lock, O_RDONLY | O_WRONLY | O_TRUNC | 64, 0o600) = 4 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/var/lock/etc_default.lock fcntl64(4, 7, 2146655000) = 0 open(/etc/default, 0x0, 0o17774655430) = 6 [+] open(/etc/default, O_RDONLY, 0o17774655430) = 6 [+] File Found: /home/yann/qiling/examples/rootfs/netgear_r6220/etc/default lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x2) = 0 lseek(6, 0x0, 0x0) = 0 lseek(6, 0x0, 0x0) = 0 close(6) = 0 fcntl64(4, 6, 2146659096) = 0 close(4) = 0 [!] Emulation Error

[-] zero : 0x0 [-] at : 0x7778f990 [-] v0 : 0x0 [-] v1 : 0x31 [-] a0 : 0x43002e [-] a1 : 0x0 [-] a2 : 0x7ff36b18 [-] a3 : 0x0 [-] t0 : 0x4 [-] t1 : 0x0 [-] t2 : 0x200 [-] t3 : 0x100 [-] t4 : 0x807 [-] t5 : 0x800 [-] t6 : 0x400 [-] t7 : 0x8 [-] s0 : 0x420000 [-] s1 : 0x410000 [-] s2 : 0x420000 [-] s3 : 0x420000 [-] s4 : 0x420000 [-] s5 : 0x420000 [-] s6 : 0x420000 [-] s7 : 0x420000 [-] t8 : 0x0 [-] t9 : 0x777995c0 [-] k0 : 0x0 [-] k1 : 0x0 [-] gp : 0x42b080 [-] sp : 0x7ff36bd8 [-] s8 : 0x430018 [-] ra : 0x40a0e4 [-] status : 0x0 [-] lo : 0x0 [-] hi : 0x0 [-] badvaddr : 0x0 [-] cause : 0x0 [-] pc : 0x777995c0 [-] cp0_config3 : 0x2000 [-] cp0_userlocal : 0x7783c470

[+] PC = 0x777995c0 [+] Start End Perm. Path [+] 00400000 - 00413000 - r-x /home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 00422000 - 00424000 - rw- /home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 00424000 - 0042e000 - rwx /home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 0042e000 - 00430000 - rwx [hook_mem] (/home/yann/qiling/examples/rootfs/netgear_r6220/bin/mini_httpd) [+] 00430000 - 00431000 - rwx [brk] [+] 047ba000 - 047d3000 - rwx /home/yann/qiling/examples/rootfs/netgear_r6220/lib/ld-uClibc.so.0 [+] 774bf000 - 774c0000 - rwx [syscall_mmap] [+] 774c1000 - 774c4000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libscnvram.so [+] 774c4000 - 774d3000 - rwx [syscall_mmap] [+] 774d3000 - 774d4000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libscnvram.so [+] 774d5000 - 77533000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libssl.so.0.9.8 [+] 77533000 - 77542000 - rwx [syscall_mmap] [+] 77542000 - 77548000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libssl.so.0.9.8 [+] 77549000 - 776fd000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libcrypto.so.0.9.8 [+] 776fd000 - 7770c000 - rwx [syscall_mmap] [+] 7770c000 - 77723000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libcrypto.so.0.9.8 [+] 77723000 - 77725000 - rwx [syscall_mmap] [+] 77726000 - 77752000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libgcc_s.so.1 [+] 77752000 - 77761000 - rwx [syscall_mmap] [+] 77761000 - 77762000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libgcc_s.so.1 [+] 77763000 - 77809000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libuClibc-0.9.33.2.so [+] 77809000 - 77818000 - rwx [syscall_mmap] [+] 77818000 - 7781a000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libuClibc-0.9.33.2.so [+] 7781a000 - 77820000 - rwx [syscall_mmap] [+] 77821000 - 77824000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libdl-0.9.33.2.so [+] 77824000 - 77833000 - rwx [syscall_mmap] [+] 77833000 - 77835000 - rwx [mmap] /home/yann/qiling/examples/rootfs/netgear_r6220/lib/libdl-0.9.33.2.so [+] 77835000 - 77836000 - rwx [syscall_mmap] [+] 7ff0d000 - 7ff3d000 - rwx [stack] [+] ['0x0', '0x0', '0x83', '0x90', '0x0', '0x0', '0xa2', '0x90']

[+] 0x777995c0 00 00 83 90 00 00 a2 90 01 00 84 24 03 00 60 14 01 00 a5 24 08 00 e0 03 23 10 02 00 f9 ff 62 50 00 00 83 90 23 10 62 00 08 00 e0 03 00 00 00 00 21 10 80 00 03 00 00 10 21 18 80 00 01 00 a5 24 lbu $v1, ($a0) lbu $v0, ($a1) addiu $a0, $a0, 1 bnez $v1, 0x777995dc addiu $a1, $a1, 1 jr $ra negu $v0, $v0 beql $v1, $v0, 0x777995c4 lbu $v1, ($a0) subu $v0, $v1, $v0 jr $ra nop move $v0, $a0 b 0x77799604 move $v1, $a0 addiu $a1, $a1, 1 Traceback (most recent call last): File "netgearyannfakenvram.py", line 47, in my_sandbox(["rootfs/netgear_r6220/bin/mini_httpd","-d","/www.eng","-r","NETGEAR R6220","-c","**.cgi","-t","300"], "rootfs/netgear_r6220") File "netgearyannfakenvram.py", line 44, in my_sandbox ql.run() File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 198, in run self.os.run() File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/linux.py", line 112, in run thread_management.run() File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/thread.py", line 455, in run self.runing_time += self.cur_thread.run(bbl_slice = thread_slice, mode = BBL_MODE) File "/usr/local/lib/python3.6/dist-packages/qiling/os/linux/thread.py", line 132, in run self.ql.emu_start(self.start_address, self.exit_point) File "/usr/local/lib/python3.6/dist-packages/qiling/core.py", line 257, in emu_start self.uc.emu_start(begin, end, timeout, count) File "/usr/local/lib/python3.6/dist-packages/unicorn/unicorn.py", line 317, in emu_start raise UcError(status) unicorn.unicorn.UcError: Invalid memory read (UC_ERR_READ_UNMAPPED)

Any idea to workaround this issue I have?

thanks

xwings commented 4 years ago

I dont think its a nvram issue. The firmware read from a /tmp/nvram which is a txt file. Like i said, i dont remember what i did.

Also please remember. Qiling is a Framework not a emulation tools. So, using qiling to setup the right environment for the firmware is very important.

Unless you make a IoT Tools on top of Qiling, then it should be automated.

YannQ404 commented 4 years ago

Thanks for your advices. I will continue :-) A+ Yann